Blast from the (recent) Past

Starting from the beginning of this week, we have been getting several reports about sites being injected by a malicious script... Seems a new mass SQL injection campaign started, targeting web applications running over Microsoft IIS and ASP.Net, for a change (<- sarcasm).

As of this writing, over 100,000 sites__ have already been tampered with to include some links to a malicious server (eg. hxxp://ww.xxxxx.us/u.js), which hosts a web exploit toolkit; the toolkit is of course aiming at compromising all visitors' systems via browsers flaws.

Analysts from Sucuri described the attack, including the targeted server log below:

This is an HTTP GET request issued by the attacker (probably a bot) to pass some Transact-SQL statement through a non-properly sanitized (thus vulnerable) variable in the web application. The SQL code is:

Does this remind you of something ? Back in 2009, Guillaume Lovet and I talked about SQL injection at the VirusBulletin conference and posted some entries on our blog. Well, this new campaign is using exactly the same scheme.

We don´t think this kind of attacks are targeted, but rather rely on the "scale effect". They are likely automated, bot-powered and template based; a search engine like Google is used to find victims and then crawlers are used to brute-force ASPX pages.

Now, the question is, is it the same gang who's behind both campaigns? Or are we dealing with a copy-cat culprit, who decided to leverage a well-known but efficient attack template?